Cloud Secure Edge configuration

[btbutts]

This appears like a very featureful add-on and I'd say that the configuration went smoothly since I had no issues getting the OIDC button to show up in the HA login page, nor are there any issues when this add on redirects to my IdP & I complete authentcation and MFA. For the purposes of this configuration, I am using an IdP called Cloud Secure Edge (CSE, formerly Banyan Security), which is actually functioning as a OIDC enabled middle-ware that allows for strengthening authentication flows, and enabled very secure user and device verification workflows. It refers to my primary IdP, OneLogin, to take care of the basic user auth and push-based MFA, then CSE checks for the presence of a user certificate, as another form of MFA. All of this is succeeding though, as I've determined in both the CSE and OneLogin logs. The only place I am getting errors is Home Assistant.

That all said, I do suspect that my claims configuration may need to be tweaked a bit, but that won't be possible until the authentication flow between this add-on and CSE succeeds far enough that the claims are transited from CSE to the add-on. At that point, I can capture the output using an OIDC tracer app, to determine the appropriate claim names, since these are generated, and unconfigurable by CSE. It's a standard implementation practice with CSE that has worked well with my other SP(s). Unfortunately, however, from what I've seen in the authentication flows, it's not getting that far due to this error: Attempt to decode JSON with unexpected mimetype: text/html; charset=utf-8!

However, immediately following authentication, as my IdP redirects back to HA, I receive a 500 sever error on a totally blank white webpage:

500 Internal Server Error

Server got itself in trouble

I also receive the following error in home assistant's logs:

Click to unhide log output

2025-12-08 01:13:57.353 ERROR (MainThread) [aiohttp.server] Error handling request from 192.168.98.166
Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/aiohttp/web_protocol.py", line 510, in _handle_request
    resp = await request_handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/aiohttp/web_app.py", line 569, in _handle
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/aiohttp/web_middlewares.py", line 117, in impl
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/security_filter.py", line 92, in security_filter_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/forwarded.py", line 87, in forwarded_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/request_context.py", line 26, in request_context_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/ban.py", line 86, in ban_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/auth.py", line 242, in auth_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/headers.py", line 41, in headers_middleware
    response = await handler(request)
               ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/helpers/http.py", line 73, in handle
    result = await handler(request, **request.match_info)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/config/custom_components/auth_oidc/endpoints/callback.py", line 46, in get
    user_details = await self.oidc_client.async_complete_token_flow(
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        redirect_uri, code, state
        ^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/config/custom_components/auth_oidc/tools/oidc_client.py", line 694, in async_complete_token_flow
    token_response = await self._make_token_request(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        token_endpoint, query_params
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/config/custom_components/auth_oidc/tools/oidc_client.py", line 390, in _make_token_request
    return await response.json()
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/aiohttp/client_reqrep.py", line 756, in json
    raise ContentTypeError(
    ...<7 lines>...
    )
aiohttp.client_exceptions.ContentTypeError: 200, message='Attempt to decode JSON with unexpected mimetype: text/html; charset=utf-8', url='https://home-enterprises.trust.banyanops.com/v2/token'

I tried capture the OIDC authentication flow to see if there's anything that stands out, but my "rcFederation Tracer" extension, which can capture SAML, OIDC, and WS-Fed traffic, but there was very minimal information included in the IdP server response. It hasn't even gotten to the point where the claims are retreieved from the IdP to the SP.

Here's additional log output after setting debug logging enabled. I've filtered out the unrelated components. The first two lines seem to repeat indefinitely.

I have set the following to debug log:

homeassistant.core: debug
homeassistant.helpers.http: debug
annotatedyaml.loader: debug
custom_components.auth_oidc: debug
custom_components.auth_oidc.tools.oidc_client: debug

Click to unhide log output

2025-12-08 01:42:47.673 DEBUG (MainThread) [homeassistant.helpers.http] Serving /auth/token to 192.168.98.166 (auth: False)
2025-12-08 01:42:47.683 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/websocket to 192.168.98.166 (auth: False)
2025-12-08 01:42:47.708 INFO (MainThread) [homeassistant.components.websocket_api.http.connection] [546208953056] Initialized trigger
2025-12-08 01:42:47.709 INFO (MainThread) [homeassistant.components.websocket_api.http.connection] [546208953056] Initialized trigger
2025-12-08 01:42:47.712 INFO (SyncWorker_10) [homeassistant.loader] Loaded icloud from homeassistant.components.icloud
2025-12-08 01:42:47.714 INFO (SyncWorker_10) [homeassistant.loader] Loaded spotify from homeassistant.components.spotify
2025-12-08 01:42:47.715 INFO (SyncWorker_10) [homeassistant.loader] Loaded tado from homeassistant.components.tado
2025-12-08 01:42:50.816 INFO (MainThread) [homeassistant.components.automation.testing_log_change] Home Assistant Default Log Level: Running automation actions
2025-12-08 01:42:50.817 INFO (MainThread) [homeassistant.components.automation.testing_log_change] Home Assistant Default Log Level: Executing step call service
2025-12-08 01:42:58.578 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/websocket to 192.168.98.166 (auth: False)
2025-12-08 01:42:58.680 DEBUG (MainThread) [homeassistant.helpers.http] Serving /manifest.json to 192.168.98.166 (auth: False)
2025-12-08 01:43:01.307 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/websocket to 192.168.98.166 (auth: False)
2025-12-08 01:43:01.311 DEBUG (MainThread) [homeassistant.helpers.http] Serving /manifest.json to 192.168.98.166 (auth: False)
2025-12-08 01:43:01.481 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/config/automation/config/1765172696003 to 192.168.98.166 (auth: True)
2025-12-08 01:43:03.770 INFO (MainThread) [homeassistant.components.automation.testing_log_change] Home Assistant Default Log Level: Running automation actions
2025-12-08 01:43:03.770 INFO (MainThread) [homeassistant.components.automation.testing_log_change] Home Assistant Default Log Level: Executing step call service
2025-12-08 01:43:06.968 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/hassio/host/logs/boots to 192.168.98.166 (auth: True)
2025-12-08 01:43:06.971 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/hassio/core/logs to 192.168.98.166 (auth: True)
2025-12-08 01:43:07.074 INFO (MainThread) [homeassistant.components.websocket_api.http.connection] [546908581664] Initialized trigger
2025-12-08 01:43:07.075 INFO (MainThread) [homeassistant.components.websocket_api.http.connection] [546908581664] Initialized trigger
2025-12-08 01:43:07.077 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/hassio/core/logs/follow to 192.168.98.166 (auth: True)
2025-12-08 01:43:07.195 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/hassio/core/logs to 192.168.98.166 (auth: True)
2025-12-08 01:43:07.831 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/core/state to 172.30.32.2 (auth: True)
2025-12-08 01:43:13.585 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/core/state to 172.30.32.2 (auth: True)
2025-12-08 01:43:13.587 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/services to 172.30.32.2 (auth: True)
2025-12-08 01:43:13.596 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/core/state to 172.30.32.2 (auth: True)
2025-12-08 01:43:13.599 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/events to 172.30.32.2 (auth: True)
2025-12-08 01:43:13.603 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/core/state to 172.30.32.2 (auth: True)
2025-12-08 01:43:13.606 DEBUG (MainThread) [homeassistant.helpers.http] Serving /api/states to 172.30.32.2 (auth: True)
2025-12-08 01:43:14.711 DEBUG (MainThread) [homeassistant.helpers.http] Serving /auth/oidc/callback to 192.168.98.166 (auth: False)
2025-12-08 01:43:14.711 WARNING (MainThread) [custom_components.auth_oidc.tools.oidc_client] Failed to complete token flow, returning None. ()
2025-12-08 01:43:14.713 DEBUG (MainThread) [custom_components.auth_oidc.views.loader] Fetching template welcome.html from disk
2025-12-08 01:43:14.714 DEBUG (MainThread) [custom_components.auth_oidc.views.loader] Fetching template base.html from disk
2025-12-08 01:43:14.715 DEBUG (MainThread) [custom_components.auth_oidc.views.loader] Fetching template error.html from disk
2025-12-08 01:43:14.725 DEBUG (MainThread) [custom_components.auth_oidc.views.loader] Fetching template finish.html from disk
2025-12-08 01:43:15.336 DEBUG (MainThread) [homeassistant.helpers.http] Serving /auth/oidc/callback to 192.168.98.166 (auth: False)
2025-12-08 01:43:16.805 DEBUG (MainThread) [homeassistant.helpers.http] Serving /auth/oidc/redirect to 192.168.98.166 (auth: False)
2025-12-08 01:43:16.805 DEBUG (MainThread) [custom_components.auth_oidc.tools.oidc_client] Creating HTTP session provider with options: verify certificates: False, custom CA file: None
2025-12-08 01:43:29.102 DEBUG (MainThread) [homeassistant.helpers.http] Serving /auth/oidc/callback to 192.168.98.166 (auth: False)
2025-12-08 01:43:29.194 ERROR (MainThread) [aiohttp.server] Error handling request from 192.168.98.166
Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/aiohttp/web_protocol.py", line 510, in _handle_request
    resp = await request_handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/aiohttp/web_app.py", line 569, in _handle
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/aiohttp/web_middlewares.py", line 117, in impl
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/security_filter.py", line 92, in security_filter_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/forwarded.py", line 87, in forwarded_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/request_context.py", line 26, in request_context_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/ban.py", line 86, in ban_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/auth.py", line 242, in auth_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/headers.py", line 41, in headers_middleware
    response = await handler(request)
               ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/helpers/http.py", line 73, in handle
    result = await handler(request, **request.match_info)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/config/custom_components/auth_oidc/endpoints/callback.py", line 46, in get
    user_details = await self.oidc_client.async_complete_token_flow(
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        redirect_uri, code, state
        ^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/config/custom_components/auth_oidc/tools/oidc_client.py", line 694, in async_complete_token_flow
    token_response = await self._make_token_request(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        token_endpoint, query_params
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/config/custom_components/auth_oidc/tools/oidc_client.py", line 390, in _make_token_request
    return await response.json()
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/aiohttp/client_reqrep.py", line 756, in json
    raise ContentTypeError(
    ...<7 lines>...
    )
aiohttp.client_exceptions.ContentTypeError: 200, message='Attempt to decode JSON with unexpected mimetype: text/html; charset=utf-8', url='https://home-enterprises.trust.banyanops.com/v2/token'

I appreciate your time for reading this and please let me know what information I can provide.

Thank you,
Brian

[christiaangoossens]

The error indicates that the request to https://home-enterprises.trust.banyanops.com/v2/token was answered with mimetype text/html (a HTML page). That's unusual as all permitted responses from the OIDC spec are JSON. Therefore, the process exits.

Can you check the logs on the Cloud Secure Edge side? My guess is that the client id, client secret or redirect URI is set wrong and that you are getting a user-facing error because of that.

[btbutts]

Thanks for the response. They are most certainly set correctly. This is one of about a dozen OIDC configuration's I've done with it. I'm an engineer for the company that develops CSE, SonicWall, so I'm quite familiar with the product.

As I stated in my opening post, the add-on has no issue redirecting to CSE, in which I am able to successfully complete authentication, therefore the discovery_url is set correctly in configuration.yaml, as are the client_secret and and client_ID, this would fail if they were not. On the CSE side, the Redirect URL is set as: https://homeassistant.homeenterprises.us:8443/auth/oidc/callback. My Home Assistant config uses TCP 8443 for this web UI. Therefore, this matches your documentation.

Please have a look at the json attachment which contains the OIDC message trace (I have partially redacted the OIDC client_id from the output). I wish this were as simple as a id10t error... :)

Most of the responses in this file are between CSE and the OIDC add-on. However, there is one message which was detected as OATH by my SSO Trace extension between OneLogin and CSE. Again, CSE authenticates users via OneLogin via SAML, and then claims like roles, groups, username, etc... are remapped under the OIDC specification as the add-on attempts OIDC SSO with CSE. I'm starting each new test using a totally clean browser which means my CSE tenant needs to me to reauth with OneLogin each time I try to sign into HA using this add-on, since there's no session cookie available to skip the full One Login sso step. I just wanted to explain why that's in there.

2025-12-09 - rcFederation message list export OIDC Home Assistant.json

[btbutts]

I would like to attempt to capture the output. The error is generated when the OIDC add on executes the _make_token_request function. I'm looking at adding an if statment that if the response is determined as html, it will pipe the output to a text file.

Unless you already have something that will do something similar? I'd like to see if there is actually an incorect, unhandled response received, or if the issue may actually be that the json is wrapped in some html header which "return await response.json()" can't handle.

Anyways, that's my theory as I've not much to go on right now other than what I've sent you so far.

Please let me know if you have any better debugging ideas. I'm all ears.

Cheers!

EDIT 1: Quick Note: Looks like my install of hass-oidc-auth is out of date when I directly compare the version of oidc_client.py I installed on 13NOV2025 to the version in the repo. There aren't any upgrade notifications for the add-on in HA. I'm going to remove the addon and repo from HACS and readd it and see if the behavior changes at all, as I don't know what other changes were made. I could look but if I'm going to start tweaking/dubugging, I might as well be up to date...

[christiaangoossens]

JSON wrapped in HTML is not supported (and I don't think the OAuth specs allow it either). Might indeed be the issue. You would be surprised how many times it's actually a config error though, so that's why I'm checking. Let me know how your debugging goes.

The repo is different because it's already working on a new version (0.7 pre release). The last release you should use (0.6.3) can be downloaded from the Github Releases and is also the version HACS uses.

[btbutts]

Simple config/fat-finger mistakes are often the issue for sure from what I see.

Thanks for the versioning info. 0.6.3 it is!

[btbutts]

I was able to capture the token response, which was in HTML, but it contained an error that's uncaptured in our Command Console due to CSE's expected authentication flow. CSE has to ways of federating SaaS apps:

1. CSE Federated - This is the concept I've previously covered, where user credential auth & MFA steps are completed indirectly of the Service Provider's (SP | hass-oidc-auth in ths case) auth flow with its configured IdP, CSE. The SP is simply left waiting for a response from CSE, whilst CSE attempts user authorizion with its configured upstream IdP, OneLogin in my case. These are intended to be entirely seperate authentication chains. User's must complete both authentication chains before a timeout, as defined within NotBefore & NotOnOrAfter, though this is also intended to appear transparent.

2. IdP Routed - This is a significantly more integrated authentication flow, where the SP, the upstream IdP, and CSE are all in the same auth chain. The SP attempts authentication directly with the upstream IdP (OneLogin), which will conduct a device authorization check with CSE. The user then completes credential auth & MFA at the upstream IdP, which then awaits an access policy decision from CSE, before issuing a token for the user to the SP.

I wanted to briefly cover that (I'm glossing over A LOT) because the only intended case where the upstream IdP should see requests directly from the SP is with an IdP Routed config. However, in this case, where I've configured CSE Federated, I'm seeing a OneLogin authentication failure redirect response generated by CSE via a second authentication session from the SP (hass-oidc-auth addon). CSE's console could not capture this error information since it was not specific enough to associate it with my tenant. It's entirely disjoined from the succeeded authentication flow between the add-on and CSE. This HTML is just a generic, web-based error handler built into the platform. If it were tenant specific, it would have indentifiers we could trace it with internally.

Here's the captured HTML, which is the response to the function: _make_token_request in oidc_client.py.

Click to unhide captured HTML response

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
    <title>Cloud Secure Edge</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link
      href="https://fonts.googleapis.com/css?family=Inter:400,600"
      rel="stylesheet"
    />
    <link href="/web/css/main.css" rel="stylesheet" />
    <link rel="icon" href="/web/images/favicon.svg" type="image/svg+xml"/>
<style>
  
    header {
      background-color: #2259ac;
    }

</style>

</head>
<body>

<header>

<img id="logo" src="/web/images/logo.svg" alt="company logo" />

</header>

<main>
<div class="card">

<span class="icon error-icon"></span>

<h1>Get Token Error</h1>

</div>

<div class="card">

<p>

No PKCE flow started. Cannot check code_verifier.<br /><br />

Sorry, but you've been forbidden from accessing this web content. Nice try!<br />

<a href="https://home-enterprises.onelogin.com/login2/?return=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmZl9tdWx0aXBsZV9icmFuZHMiOmZhbHNlLCJ1cmkiOiJodHRwczovL2hvbWUtZW50ZXJwcmlzZXMub25lbG9naW4uY29tLyIsImJyYW5kX2lkIjoibWFzdGVyIiwiYXVkIjoiQUNDRVNTIiwiaXNzIjoiTU9OT1JBSUwiLCJleHAiOjE3Mjc0NTYyODIsInBhcmFtcyI6e30sIm1ldGhvZCI6ImdldCJ9.O-R1k2JT_PFkxU1yd3lYIK0tfyEgQf_7OA14V9S38YM#app=" class="button"

> Get

Help </a

>

</p>
</div>

<div class="card row">
<div class="reference">

<div class="label">TP Reference ID:</div>

FriTEtjSmuDYqJ0wpRLK-w

</div>
<div class="reference">

<div class="label">Timestamp:</div>

2025-12-10 21:11:50 UTC

</div>

</main>

</body>

</html>
</div>

After I raised this internally, we discussed two possibilities.
One is that there is an issue with our CSE Federated OIDC integration. However, we can't shake the fact that the error in the HTML was unsigned by the tenant, without any identifiers in it, something they're adamant should occur.

Second, perhaps there's an issue with the submission against the OIDC token endpoint, that is incorrectly formatted, or something else, causing the error. That's so vague though it doesn't help much and could very well still be a CSE issue, or an add-on issue.

Bottom line, I'll have to spend some time debugging nearly the entire auth chain at this point. ...This just got fun... ;)

I've also copied the successful OIDC auth log from the add-on to CSE for reference.

Click to unhide CSE Auth SUCCESS Log Output

{
     "id": "__REDACTED__",
     "external_id": "__REDACTED__",
     "org_id": "__REDACTED__",
     "org_name": "__REDACTED__",
     "severity": "DEBUG",
     "action": "IDP",
     "type": "Identity",
     "sub_type": "UserPrincipal",
     "message": "SUCCESS - Authorization Code Generated",
     "result": "DEBUG",
     "created_at": 1765401601640,
     "reported_by": {
          "type": "trustprovider",
          "host_name": "trust.banyanops.com",
          "host_ip": "",
          "access_tier_name": "",
          "access_tier_public_address": "",
          "host_version": ""
     },
     "created_at_ns": 1765401601640000000,
     "user_principal": {
          "user": {
               "name": "Brian Butts",
               "email": "blackhole@homeenterprises.us",
               "groups": [
                    "ADSyncAdmins",
                    "CSE-Device-Registration",
                    "Domain Admins",
                    "Domain Users",
                    "Login_TC_Users",
                    "NSM Accessible Users",
                    "OneLogin Authenticated Users",
                    "OneLogin-Admins",
                    "RCDevs Users",
                    "Remote Desktop Users",
                    "SAML Auth Service",
                    "SMA Admins",
                    "SonicWALL Administrators",
                    "Users"
               ],
               "roles": [
                    "OneLogin-Admins",
                    "SonicWall-Administrators_FW-Mgmt",
                    "Mac_Web_Filter_Users",
                    "Permit-CSE-Admin-Access",
                    "Network_Infrastructure_Admins_Web",
                    "All_Users_Role",
                    "All_CSE_Users",
                    "Network_Infrastructure_Admins"
               ]
          },
          "device": {
               "id": "",
               "friendly_name": "",
               "mac_address": "",
               "serial_number": "__REDACTED__",
               "compromised_status": "",
               "compliance_status": "",
               "oem_info": "",
               "model": "MacBook Pro",
               "platform": "macOS",
               "ownership": "Employee Owned",
               "architecture": "arm64",
               "udid": "",
               "source": "BNN",
               "last_mdm_data_synced_at": 1765399570108667400,
               "last_ip_address": "70.237.84.206:26874",
               "last_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0",
               "unregistered": false,
               "os": "macOS 15.6 (24G84)",
               "trust_score_feature": null
          },
          "client": {
               "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0",
               "ip_address": "10.44.6.4:36012",
               "geo_location": {
                    "city": "",
                    "region": "",
                    "country": "",
                    "continent": "",
                    "latitude": 0,
                    "longitude": 0
               }
          }
     },
     "service": {
          "id": "__REDACTED__",
          "name": "Home Assistant - OIDC",
          "type": "OIDC",
          "version": "",
          "is_saas_app": true
     }
}

Here's the modified function for your reference: _make_token_request

## Added for debugging token response ##
from pathlib import Path
import json

...break...

    async def _make_token_request(self, token_endpoint, query_params):
        """Performs the token POST call"""
        try:
            session = await self._get_http_session()

            async with session.post(token_endpoint, data=query_params) as response:
                await self.http_raise_for_status(response)
                
                # Read the response as text
                response_text = await response.text()
            
                try:
                    # Attempt to parse the response as JSON
                    parsed_json = json.loads(response_text)
                    # If parsing succeeds, it's JSON, so do not write to file
                except json.JSONDecodeError:
                    # If it's not JSON, write the response to the file
                    file_path = Path.cwd() / "custom_components/auth_oidc/token_response.txt"
                    with open(file_path, 'w', encoding='utf-8') as f:
                        f.write(response_text)
                    raise  # Re-raise the exception to propagate the error
            
                # If parsing succeeded, return the parsed JSON
                return parsed_json
                
                #return await response.json()
                
        except HTTPClientError as e:
            if e.status == 400:
                _LOGGER.warning(
                    "Error: Token could not be obtained (%s, %s), "
                    + "did you forget the client_secret? Server returned: %s",
                    e.status,
                    e.message,
                    e.body,
                )
            else:
                _LOGGER.warning("Unexpected error exchanging token: %s", e)

            raise OIDCTokenResponseInvalid from e

[btbutts]

I found your PKCE carrot (that it can be disabled). :) Of course this isn't reccomended for production, but it may be helpful for testing. I've set features.disable_rfc7636 to True in configuration.yaml since the error returned from the token response indicated "No PKCE flow started", even though PKCE is enabled by default.

This resulted in the error in the HTML response to _make_token_request changing. Here's a shortened output, since most of the file is irrelevant:

<div class="card">
  <p>
    We are unable to authenticate you because a required claim was not provided - email. Please contact your administrator for resolution.<br /><br />
    Sorry, but you&#39;ve been forbidden from accessing this web content. Nice try!<br />
    <a href="https://home-enterprises.onelogin.com/login2/?return=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmZl9tdWx0aXBsZV9icmFuZHMiOmZhbHNlLCJ1cmkiOiJodHRwczovL2hvbWUtZW50ZXJwcmlzZXMub25lbG9naW4uY29tLyIsImJyYW5kX2lkIjoibWFzdGVyIiwiYXVkIjoiQUNDRVNTIiwiaXNzIjoiTU9OT1JBSUwiLCJleHAiOjE3Mjc0NTYyODIsInBhcmFtcyI6e30sIm1ldGhvZCI6ImdldCJ9.O-R1k2JT_PFkxU1yd3lYIK0tfyEgQf_7OA14V9S38YM#app=" class="button"
      > Get
      Help </a
    >
  </p>

</div>

Again, OneLogin and CSE both show that authentication was successful, but the return link provided in the html error from CSE is to OneLogin and not the SP. This, in combination with the fact that the original error reflected "No PKCE flow started" when the SAML protocol is selected for authenticaiton between CSE and OneLogin, thus PKCE is not used for that auth flow, and that now I'm seeing a claim error, leads me to wonder if the intial request itself is being mangled somehow, or perhaps in a syntax the upstream IdP services can't handle.

I think this will require further exporting requests and responses to a file for manual review at stategic points of the auth sequence, if nothing else to validate the SP side is appropriate, with and without PKCE (which should be used between the add-on and CSE).

[christiaangoossens]

Everything you need should be in the oidc_client.py file. OIDC implementation here is done by me directly, there was no modern OIDC client lib in the python ecosystem (at least when I started working on it). Let me know what you find.

[btbutts]

Thanks. I am impressed with what you've got though. Writing an OIDC library with extensible vendor support requires extensive knowledge of the auth sequence and specific handling by various IdPs. So many OIDC implementations I see out there only work for one or two IdPs and this one seems to have several already working.

[christiaangoossens]

Actually, this would be the first IdP it doesn't play nice with. Authentik, authelia, pocket id, google, microsoft entra, adfs (without group mapping, we haven't found out how to configure adfs correctly), keycloak, kanidm, nextcloud and zitadel are confirmed to work.

[olivluca]

add lemonldap to the list

[btbutts]

I may have made some headway. After I disabled PKCE, the error I captured in response to _make_token_request showed that the required claim email was not included, in the query to the Token endpoint URL:

https://home-enterprises.trust.banyanops.com/v2/token

Here's the query I captured:

----------BEGIN TOKEN REQUEST----------
Token Endpoint URL: https://home-enterprises.trust.banyanops.com/v2/token
Query Parameters:
{'grant_type': 'authorization_code', 'client_id': 'REDACTED-4Lhe0BvTpnLDXs-XFlE4', 'code': 'x6iog3n4o3pc2xlv5cmb6dizm', 'redirect_uri': 'https://homeassistant.homeenterprises.us:8443/auth/oidc/callback', 'client_secret': 'REDACTED'}

Sure enough, email is not included. My understanding is that email, along with openid and profile, should be included in the scope query. OpenID Connect Core 1.0 specification, Section 3.1.2.1. Authentication Request.

They show a couple examples of ths as well:

  HTTP/1.1 302 Found
  Location: https://server.example.com/authorize?
    response_type=code
    &scope=openid%20profile%20email
    &client_id=s6BhdRkqt3
    &state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb

  GET /authorize?
    response_type=code
    &scope=openid%20profile%20email
    &client_id=s6BhdRkqt3
    &state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1
  Host: server.example.com

As per your documentation, I was hoping I could simply define email under: additional_scopes. Unfortunately, that resulted in an error when I attempt authentication from the welcome URL (/auth/oidc/welcome). I click the Login button, but I receive an error at the /auth/oidc/callback endpoint:

Login failed.
Missing code or state parameter.

The URL in by browser where this error is displayed is odd too:

https://homeassistant.homeenterprises.us:8443/auth/oidc/callback?error=invalid_scope&error_description=Unrecognized+scope%28s%29+%5B%22e%22+%22m%22+%22a%22+%22i%22+%22l%22%5D&state=rmvutagpbrrjk3enii3e7y265

After the error=invalid_scope&error_description=Unrecognized in the URL, this reads as:
+scope(s)+["e"+"m"+"a"+"i"+"l"]&state=rmvutagpbrrjk3enii3e7y265, which my guess is this is unhandled

I can't even reach my IdP to attempt SSO with this email scope added.

Here's the current configuration.yaml with the additional_scopes added, though today's the first time I've tried that.

auth_oidc:
    client_id: "__REDACTED__"
    client_secret: !secret CSE_HA_OIDC_ClientSecret
    discovery_url: "https://home-enterprises.trust.banyanops.com/v2/.well-known/__REMOVED__"
    display_name: "CSE OIDC Authentication (SSO)"
    additional_scopes: "email"
    features:
        automatic_person_creation: True
        disable_rfc7636: True

Also, for your reference, here's the discovery document for the CSE IdP disc. endpoint (pretty-print for readability) I captured from _fetch_discovery_document response as part of debugging:

{
    "issuer": "https://home-enterprises.trust.banyanops.com/v2",
    "authorization_endpoint": "https://home-enterprises.trust.banyanops.com/v2/auth",
    "token_endpoint": "https://home-enterprises.trust.banyanops.com/v2/token",
    "jwks_uri": "https://home-enterprises.trust.banyanops.com/v2/.well-known/__REMOVED__",
    "userinfo_endpoint": "https://home-enterprises.trust.banyanops.com/v2/userinfo",
    "response_types_supported": [
        "code",
        "code id_token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "scopes_supported": [
        "openid",
        "email",
        "profile",
        "groups",
        "roles"
    ]
}

[christiaangoossens]

It's possible that additional_scopes is weird, it was a community PR. Requiring email as a scope is also weird though, it's not required per spec (see OIDC spec section 5.4) and HA doesn't use any email so we don't request it. Profile is used, so it's also requested as a scope.